Petition drive calls for government to auction off /8 block.

Share this story

Europe has tapped out its supply of Internet addresses in its assigned range, but some tech prospectors believe they've found some IPv4 gold—a full block of 16,777,216 addresses that isn't used to connect to the Internet. But the British government agency that owns the block of addresses (referred to in IP networking as a /8 block) has no intentions of giving it up, even though almost none of the addresses will ever be publicly accessible. That has inspired an electronic petition campaign on a House of Commons website to convince British lawmakers to auction off the address block.

John Graham-Cumming, a programmer for CloudFlare and technology book author, pointed out the address block (from 51.0.0.0 to 51.255.255.255) in a recent blog post, noting that it was apparently unused. Based on a Network World article from May, he estimated the block coud be worth as much as $1.5 billion on the open market, given that it's essentially the last unused block of its size.

The Department of Works and Pensions, which was assigned the block by RIPE NCC (Réseaux IP Européens Network Coordination Centre), acknowledged its ownership of the address block in a response to a Freedom of Information request made by James Marten on behalf of the public watchdog site Whatdotheyknow.com last December. The addresses—or at least about 80 percent of them—are in use, according to a letter from DWP spokesman Phil Tomlinson on behalf of the department's IT group, but none are intended to be accessed from the public Internet. The remainder are being used as the basis for a proposed Public Services Network—a private government intranet.

That would make the addresses ripe, so to speak, for conversion to a private network, and for the addresses to be freed up for other use. However, Tomlinson wrote, "DWP have no plans to release any of the address space for use on the public Internet." The reason, he claimed, was that readdressing the existing systems already configured with addresses from the block would be too expensive. "DWP are aware that the worldwide IPv4 address space is almost exhausted, but knows that in the short to medium term there are mechanisms available to ISPs that will allow continued expansion of the Internet, and believes that in the long-term a transition to IPv6 will resolve address exhaustion," he wrote; besides, the address pool would only last a few months.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

Yeah, probably. At the least, it would take long enough to untangle that mess that it's not worth the effort. IPv6 is there, it works, it's time to stop avoiding it and drag the stragglers into compliance.

Yeah, probably. At the least, it would take long enough to untangle that mess that it's not worth the effort. IPv6 is there, it works, it's time to stop avoiding it and drag the stragglers into compliance.

This. Who the fuck cares who has what, IPv6 is the only place we should be going right now.

So what about the 10 or so of these blocks that the US government is sitting on?

Or Apple's block? Or IBM's? Or the two that HP has?

Yes, what about those?The feds are pushing IPv6 internally, especially in DOD. But they have so much still based on IPv4 in terms of services (and I mean hard-wired for IPv4, with addresses that go back to ARPANET), it's going to be a decade or more before they fully convert.

Governments should really sell these blocks while the market is at it's peak. I strongly suspect it would cost less than $1.5 billion to upgrade their network to IPv6 so any cost difference there is just profit.

The addresses—or at least about 80 percent of them—are in use, according to a letter from DWP spokesman Phil Tomlinson on behalf of the department's IT group.

That's a lot of machines to re-address. As someone who is undertaking a network readdressing project (although not of that scale), I completely understand why they don't want to convert to RFC1918 addresses. As they've said, IPv6 is the better solution.

Governments should really sell these blocks while the market is at it's peak. I strongly suspect it would cost less than $1.5 billion to upgrade their network to IPv6 so any cost difference there is just profit.

Highly unlikely esp if there are any specialized, embedded like equipment being used.

Devin wrote:

What? 80% of a /8 are used? How many computers does that agency have? That can't be right.

If it was before CIDR, very likely so. There isn't full utilization of the address space by design, just like how ipv6 isn't promoting or expecting full utilization of the 2^128 address space.

So what about the 10 or so of these blocks that the US government is sitting on?

Or Apple's block? Or IBM's? Or the two that HP has?

I did some work at IBM and found it funny that they used their 9.0.0.0/8, but then all the PCs had to access the Internet via a SOCKS proxy. They might as well have used the private 10.0.0.0/8 at that point.

I did some work at IBM and found it funny that they used their 9.0.0.0/8, but then all the PCs had to access the Internet via a SOCKS proxy. They might as well have used the private 10.0.0.0/8 at that point.

I used to work for SITA, owner of the 57.0.0.0/8 and registrar for .aero (bet you've never heard of either one) -- they also use publicly addressable IPs for internal systems, most of which are not ever supposed to be directly accessible from the internet (the proxies were in Atlanta, GA and somewhere in Northern France; so it was a crapshoot if I'd get ads in English or French).

They do have installations everywhere (except Antarctica, North Korea, and Palestine as best I could tell), colo'd in airport data centers, and assigned a VPN'd 57.* network. Our lab network, ironically, was sequestered off to a 10.* address. And to continue the irony, when one of the lab systems needed to be accessible from the Internet for a proof-of-concept project it was done not through the company's network, but through a cable modem.

All of this said, most of the systems that are on one of the private /8's could be readdressed overnight simply by changing the DHCP servers. That would probably take care of 90% of the systems. It's the other 10% that are a major pain and a serious cost to fix. Especially since you can be sure that most of them are servers, running software that has IP addresses (not names) in config files, host files, or even hardcoded into the software.

Readdressing entire networks, especially government legacy systems, is not for the faint of heart. I do not doubt the man when he says it is cost-prohibitive. Things will break. Fixing them will be hard to impossible. Services, probably critical, will be disrupted. Very Important People will be very pissed off. This is the reality of IT.

What? 80% of a /8 are used? How many computers does that agency have? That can't be right.

Doesn't necessarily have to be hosts, I'm betting that when they got the block they started using /24's as point-to-points between routers (CIDR not really in use back in the days) so you use 2 addresses out of the /24 and the rest you can't use any more.

Well you can if you change media from serial to for example ethernet, but still if you have 1000's of p2p's between offices, vpn's et cetera you start bleeding blocks that you can't use really quickly. Been there done that.

All of this said, most of the systems that are on one of the private /8's could be readdressed overnight simply by changing the DHCP servers. That would probably take care of 90% of the systems. It's the other 10% that are a major pain and a serious cost to fix. Especially since you can be sure that most of them are servers, running software that has IP addresses (not names) in config files, host files, or even hardcoded into the software.

Configure a Raspberry Pi with a specialized NAT software stack which just converts between 51.x.x.x on one side and 10.x.x.x on the other, and stick one in front of each of these Untouchably Holy Servers.

How would you sell it anyway? I really doubt any ISP in China has any interest in polluting their route tables with 51.1.2.0/24 to Hong Kong and 51.1.3.0/24 to Los Angeles and 51.1.4.0/24 to the Philippines.

The end result of trying to sell off tiny blocks of IPv4 would be useless address ranges because ISPs won't carry your routes. Addresses need to be in large blocks associated to some physical region or at least some organization that will take responsibility for routing all the traffic.

How would you sell it anyway? I really doubt any ISP in China has any interest in polluting their route tables with 51.1.2.0/24 to Hong Kong and 51.1.3.0/24 to Los Angeles and 51.1.4.0/24 to the Philippines.

The end result of trying to sell off tiny blocks of IPv4 would be useless address ranges because ISPs won't carry your routes. Addresses need to be in large blocks associated to some physical region or at least some organization that will take responsibility for routing all the traffic.

/20 is the smallest block that you can normally get propagated around the globe, no problems at all after that. /8 is quite many /20's.

The quality of Ars has gone down so much the last few years, it's very sad.

Devin wrote:

What? 80% of a /8 are used? How many computers does that agency have? That can't be right.

It's a legacy assignment, and thus usage rules don't apply.

joshv wrote:

So they reserved a massive block of publicly routable IP addresses for a *private* network. This is why IP addresses should have market based prices. Waste like this wouldn't happen.

As stated, this would have been a pre-CIDR assignment, and that is how all IP blocks were assigned back then. "Waste like this wouldn't happen" just shows how little you actually know about how ANY of this actually worked / works.

Configure a Raspberry Pi with a specialized NAT software stack which just converts between 51.x.x.x on one side and 10.x.x.x on the other, and stick one in front of each of these Untouchably Holy Servers.

Clearly you have a lot of experience with Carrier Grade NAT.

joshv wrote:

So they reserved a massive block of publicly routable IP addresses for a *private* network. This is why IP addresses should have market based prices. Waste like this wouldn't happen.

There was originally no distinction. Decomissioning of NFSNet (10/8), RFC1918 and proxying, then NATing firewalls changed things. I reserve far more enmity for the reservation into unusability of 240/4 (formerly "Class E" space) than I do for organizations that don't use private addresses. Organizations still shouldn't be wasting space, though. CIDR has been prescribed since 1993, the same year as IPv6 debuted.

It's taken longer than I expected for security to move to endpoints and protocols (e.g., HTTP and other protocols over TLS; SSH) and away from NATing border chokepoints. Putting servers on real addresses prevents a lot of problems when merging networks of RFC1918 addresses, for instance.

Yeah, probably. At the least, it would take long enough to untangle that mess that it's not worth the effort. IPv6 is there, it works, it's time to stop avoiding it and drag the stragglers into compliance.

This. Who the fuck cares who has what, IPv6 is the only place we should be going right now.

All of this said, most of the systems that are on one of the private /8's could be readdressed overnight simply by changing the DHCP servers. That would probably take care of 90% of the systems. It's the other 10% that are a major pain and a serious cost to fix. Especially since you can be sure that most of them are servers, running software that has IP addresses (not names) in config files, host files, or even hardcoded into the software.

Configure a Raspberry Pi with a specialized NAT software stack which just converts between 51.x.x.x on one side and 10.x.x.x on the other, and stick one in front of each of these Untouchably Holy Servers.

*Now* I can haz mi 10%?

There is no guarantee that there are DHCP servers involved anywhere, especially given how long they've had the block. I'd be willing to bet that some proportion of the addresses are also hard-coded into software running on different systems, meaning a simple change to a the DNS file would cause things to break in very interesting ways... Legacy networks, like legacy hardware and software, can be fun!

The quality of Ars has gone down so much the last few years, it's very sad.

Devin wrote:

What? 80% of a /8 are used? How many computers does that agency have? That can't be right.

It's a legacy assignment, and thus usage rules don't apply.

joshv wrote:

So they reserved a massive block of publicly routable IP addresses for a *private* network. This is why IP addresses should have market based prices. Waste like this wouldn't happen.

As stated, this would have been a pre-CIDR assignment, and that is how all IP blocks were assigned back then. "Waste like this wouldn't happen" just shows how little you actually know about how ANY of this actually worked / works.

No. It's "easy" to convert to using IPv6 externally. That's mainly your ISP and the servers you connect to. For messy internal networks like this, they just keep using IPv4 internally. OTOH, trying to extricate those addresses so they can be used on the internet is nearly impossible, because they have to be completely stripped from the internal network (otherwise the machines could never hit any servers that use those sold IPs). It's the difference between a gradual and pretty painless rollout as stuff is naturally replaced, and a forced change that will require a lot of new hardware and every single machine and switch/router to be surveyed, updated or replaced, etc.

Be honest, in Internet Time all this is ancient history. Most people don't know what the hell you're talking about since networks aren't done like that anymore.

It's called the binocular trick: maximize on the negative stuff and minimize the good stuff. Commenter quality declines when you're creating your own statistics, opinions, and disillusionment; ignoring the great contributions to discussion and condemning the whole thread to devolution is the inevitable conclusion.